On 22/10/2018 14:09, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While performing gpio write via strongarm_gpio_handler_update > routine, the 'bit' index could access beyond s->handler[28] array. > Add check to avoid OOB access. > > Reported-by: Moguofang <moguof...@huawei.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/arm/strongarm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c > index ec2627374d..3dda75feaf 100644 > --- a/hw/arm/strongarm.c > +++ b/hw/arm/strongarm.c > @@ -532,7 +532,9 @@ static void > strongarm_gpio_handler_update(StrongARMGPIOInfo *s) > > for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) { > bit = ctz32(diff); > - qemu_set_irq(s->handler[bit], (level >> bit) & 1); > + if (bit < sizeof(s->handler) / sizeof(s->handler[0])) { > + qemu_set_irq(s->handler[bit], (level >> bit) & 1); > + } > } > > s->prev_level = level; >
This is correct, but please use ARRAY_SIZE(s->handler). Paolo